Skip to content

Commit

Permalink
Fix bug where image data URIs in css style were treated as evil/remot…
Browse files Browse the repository at this point in the history
…e in mail preview (#5580)
  • Loading branch information
alecpl committed Jan 7, 2017
1 parent 58e63a6 commit f90f22f
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ CHANGELOG Roundcube Webmail
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)

RELEASE 1.2.3
-------------
Expand Down
2 changes: 1 addition & 1 deletion program/lib/Roundcube/rcube_utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@ public static function mod_css_styles($source, $container_id, $allow_remote = fa
// ignore the whole block if evil styles are detected
$source = self::xss_entity_decode($source);
$stripped = preg_replace('/[^a-z\(:;]/i', '', $source);
$evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\(' : '');
$evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\((?!data:image)' : '');

if (preg_match("/$evilexpr/i", $stripped)) {
return '/* evil! */';
Expand Down
2 changes: 1 addition & 1 deletion program/steps/mail/func.inc
Original file line number Diff line number Diff line change
Expand Up @@ -969,7 +969,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml)

// now check for evil strings like expression, behavior or url()
if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) {
if (!$washtml->get_config('allow_remote') && stripos($stripped, 'url(')) {
if (!$washtml->get_config('allow_remote') && preg_match('/url\((?!data:image)/', $stripped)) {
$washtml->extlinks = true;
}
else {
Expand Down
4 changes: 4 additions & 0 deletions tests/Framework/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,10 @@ function test_mod_css_styles_xss()

$mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)");

// allow data URIs with images (#5580)
$mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
$this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed");
}

/**
Expand Down

0 comments on commit f90f22f

Please sign in to comment.